Preemptive Attacker Discovery Using Honeypot

In this case we show how we discover an attacker before he discovers a real VoIP service. We distribute “several” honeypots in several world regions (Tokyo, Mumbai, Singapore, Canada, Sao Paolo, N. Virginia, N. California and Ireland). The honeypot is an SBC configured to act as a “bait”. When an attacker scanning SIP services sends a probing packet, the SBC accepts it, responds using a positive SIP answer and lures the scanner in belief he has discovered a functional SIP service. At the same time the honeypot SBC reports the incident to a Monitor, where you can study nature of the SIP attack and its originator. Understanding the attack anatomy is essential as cyberattacks on VoIP have dramatically increased in size and intensity in the past years. Already in 2011 Caida reported on the Slash Zero SIP scan that used a 3 million IP address botnets for its subversive activity!

See the Caida report for additional details.

After you launch the cloud formation stack, you may need to wait about half an hour until the first attacks begin to display in Monitor dashboards. Sometimes it may be just several minutes, occasionally it takes up to an hour, rarely longer. Typically you will see SIP OPTIONS “ping” packets which test existence and availability of a SIP service on default numbers. Often you will also see repeated SIP INVITE requests to a telephone number that come repeatedly with varying prefixes. These try to find a prefix which will gain the attacker access to PSTN termination. These scans often use either the SIPCLI or SipVicious (AKA “friendly scanner”) comand-line penetration tools. See some articles on these penetration tools at “Sip vicious — the not so friendly scanner” or “SIP Attack: Friendly Scanner” at work. The Toplist call-event list shows attempts to complete INVITE request to a telephone number with varying dialling prefixes.

How To Use It

To start the cloud formation process visit the following link:

Leave the key parameter empty — you will not be able to ssh in the honeypot instances but will not have to install the same key in all of the regions.

Once the honeypot network is up and running,  visit the Monitor at the link shown in  Cloud Formation Outputs. In the Overview dashboard, you will find the complete list of all events generated by the honeypot SBCs.

The gallery bellow shows a typical picture of  scanning attacks you will very likely see as well.  It takes something between one and 20 minutes till the first SIP scans are captured. Microanalysis dashboard reveals the penetration tools “sipcli” and “friendly scanner” as the offending SIP clients.

What Is Orchestrated


The Cloud Formation template starts several honeypot SBC in various geographic regions. There is a central Monitor in the eu-west-1 region that collects diagnostic information from all the SBCs. One of the SBCs, also located in the eu-west-1 region, serves a master configuration role and distributes its configuration to all the other SBCs.

What Else You Should Know

While learning the attacks and their sources is important, the eventual outcome should be the ability to block these. Even if scans alone may appear less harmful, scans that find a responsive SIP service are soon followed by attempts to hack the service. In a future case, we will thereforew show how the Monitor can be set up to report the IP addresses through a reputation list. Other SBCs can subscribe to the reputation list and blacklist the offenders’ IP addresses before they even see any traffic from them.